Manage your IP filtering rule sets

Add another layer of security to your installation and deployments by restricting inbound IP address traffic to only the sources that you trust. In the quickly changing world of spoofed IP addresses and security compromises, you can conveniently manage rule sets across multiple deployments with a change at the platform level — saving you time and enforcing more consistent security measures. You can test out rule sets before applying them to production deployments and then quickly add them where needed.

Elastic Cloud Enterprise supports IP filtering rules with IPv4, IPv6, or a range of addresses with Classless Inter-Domain Routing (CIDR) for HTTP and transport protocols. This feature is available for deployments at version 2.4.6 and newer.

You can create multiple rule sets; however, traffic is not filtered until the rule set with at least one rule is applied to the deployment. When the first rule is applied, it also enables the implicit Deny All rule for unwanted traffic.

Note

No need to worry about traffic between the instances in your deployment, that traffic is automatically allowed.

Before you begin

You must:

  • Re-upload the Elastic Stack packs to take advantage of IP filtering.
  • Make sure your load balancer handles the X-Forwarded-For header appropriately for HTTP requests to prevent IP address spoofing. Make sure the proxy protocol is enabled for transport protocol (9343).

You should also be aware:

  • IP filtering can be bypassed by users with permissions to create or modify watches in clusters in the same Elastic Cloud Enterprise environment.
  • In 2.3.1, port 9343 (encrypted transport) traffic all appears to come from the IP address of the load balancer. In order to use IP traffic management, the load balancer must terminate TLS, add the proxy protocol header, and then route traffic to the 9300 port of the proxy.

Create an IP filtering rule set

You can combine any rules into a set, so we recommend that you group the rules according to what they allow, and make sure to label them accordingly. Since multiple sets can be applied to a deployment, you can be as granular in your sets as you feel is necessary.

To create a rule set:

  1. Log into the Cloud UI.
  2. From the Platform menu, select Security.
  3. Create your rule set, providing a meaningful name and description.
  4. Add one or more rules using IPv4, IPv6, or a range of addresses with CIDR.

    Note

    DNS names are not supported in rules.

The next step is to associate one or more rule sets with your deployments.

Use the RESTful API to add multiple rule sets

You can add rules and rule sets in bulk through the RESTful API.

  1. Add rule sets:

    curl -X POST -u $USERNAME:$PASSWORD https://$COORDINATOR_HOST:12443/api/v1/deployments/ip-filtering/rulesets -H 'content-type: application/json' -d '{
      "name": "RULE_SET_NAME",
      "description": "RULE_SET_DESCRIPTION",
      "rules": [
        {
          "description": "RULE_DESCRIPTION",
          "source": "192.0.2.0/241"
        },
        {
          "description": "RULE_DESCRIPTION",
          "source": "203.0.113.0/24"
        }
      ]
    }'

    The admin user credentials

    A host that you installed Elastic Cloud Enterprise on that holds the coordinator role, such as a host where you can log into the Cloud UI

    The name of the rule set, used in the drop-down menu

    Details about the rule set (optional)

    Details about the IP address (optional)

  2. Verify the rule sets:

    curl -X GET -u $USERNAME:$PASSWORD https://$COORDINATOR_HOST:12443/api/v1/deployments/ip-filtering/rulesets

Delete a rule set or rules

If you need to remove a rule or rule set from the entire platform, you can do so in one place. However, if you need to remove a rule set, you must first remove associations with any deployments.

To delete a rule:

  1. Log into the Cloud UI.
  2. From the Platform menu, select Security.
  3. Expand the appropriate rule set and delete the rule.

If there are other rules in the set, the traffic that was allowed by the deleted rule is now blocked.

To delete a rule set and the rules within it:

  1. Remove any deployment associations.
  2. Get the rule set ID:

    curl -X GET -u $USERNAME:$PASSWORD https://$COORDINATOR_HOST:12443/api/v1/deployments/ip-filtering/rulesets
  3. With the rule set ID returned from step 2, delete the rule set through the Cloud UI or use the API:

    curl -X DELETE -u $USERNAME:$PASSWORD https://$COORDINATOR_HOST:12443/api/v1/deployments/ip-filtering/rulesets/RULE_SET_ID